Re: [Plugins-writers] prado_viewstate.nasl - test for PRADO viewstate vulnerability

hubert@private

Thanks for the feedback. Here's an updated version with all suggested 
changes.

#
# Script to detect PRADO 2.0.0 and below VIEWSTATE vulnerability
# by Hubert Seiwert, hubert_at_westpoint.ltd.uk
# www.westpoint.ltd.uk
#

if(description)
{
 script_id(90910);

 name["english"] = "PRADO component framework VIEWSTATE vulnerability";

 script_name(english:name["english"]);

 script_version("1.01");

 desc["english"] =

"Tests for improper handling of the VIEWSTATE form
variable (no HMAC verification) in PRADO 2.0.0 and
below, which may be exploitable for arbitrary code
execution.

Impact: Possible arbitrary code execution. No exploit known at this time.

Solution: Apply patch or upgrade to PRADO v2.0.1

References: Announcement and patch - http://www.xisc.com/forum/viewtopic.php?t=1457
            Advisory - http://secunia.com/SA15220
            PRADO homepage - http://www.xisc.com";

 script_description(english:desc["english"]);

 # Summary
 summary["english"] = "Script to detect PRADO 2.0.0 and below VIEWSTATE vulnerability";

 script_summary(english:summary["english"]);

 # Category
 script_category(ACT_ATTACK);

 # Family
 family["english"] = "CGI abuses";
 script_family(english:family["english"]);

 # Copyright
 script_copyright(english:"This script is Copyright (C) 2005 Westpoint");

 script_require_ports("Services/www", 80);
 exit(0);
}

include("global_settings.inc");
include("http_func.inc");
include("http_version.nasl");
include("http_keepalive.inc");

port = get_http_port(default:80);

#url = '/';

url = '/prado200/examples/helloworld.php';
#url = '/prado201/examples/phonebook.php';
#url = '/prado201/examples/blog.php';
#url = '/prado200/examples/wizard.php';
#url = '/prado200/examples/hangman.php';

req = http_get(port:port, item:url);

get_response = http_keepalive_send_recv(port:port, data:req);

if(egrep(pattern:'input type="hidden" name="__VIEWSTATE"', string:get_response))
{
debug_print("Found page possibly generated by PRADO\n");

data = string(
"POST ",url," HTTP/1.0\r\n",
"User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-GB; rv:1.7.7) Gecko/20050414 Firefox/1.0.3\r\n",
"Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n",
"Referer: http://risk/prado201/examples/hangman.php\r\n",
"Content-Type: multipart/form-data; boundary=---------------------------97582422118588\r\n",
"Content-length: 840\r\n",
"Connection: Keepalive\r\n",
"\r\n",
"-----------------------------97582422118588\r\n",
'Content-Disposition: form-data; name="__VIEWSTATE"',"\n\n",
"eJyt1tFS4jAUBuBXiXmAHUph1XCxA4iggqAgijc7oQTI0jZO06qdnb77Jm1x56CwnlnvoD3znT9pZk6cqlsbMsdhtBlFPB3OfwkvpsxhvzWrMbpUUUAbHxTUbIFTYVTHPIpHPBT+h3V1W3fKqOA67YvnPVWmnWSVBi/ZqnmdxGqkdNzi3oY25sxp5Ew3UsnTNQ8ENf/rjPoFmWediNfY/nSPGe2YdmRl6hokVQnhkSDc99WLWBCnQgKptdDfbLGpba+FtxGLokuW6TxeIBYyCT6RuFou8FPJThgd5PCebPW/0WwQw655tPjiFDWj9Ay7k0GFfvoWxH0X5OeklcSxCp3DQbYHZ9vMZBj5PD0qnLcD04kiFR2W3B3JNdTMZA0SHRNvrZQ2+0YWcrmUXuLHKcnXelQ2HcepbzahDGQeeMq3HY3DaGS/dpZ//KnUcm4r56Zpts24SoTW+w919QQs9x2j2ffSaOJ2yxYWO7UFWmigBYE2GmhD4AwNnEGggwY6EDhHA+cQ6KKBLgR6aKAHgQs0cAGBSzRwCYErNHAFgT4a6ENggAYGELhGA9cQGKKBIQRGaGAEgRs0cAOBWzRwC4ExGhhDYIIGJhC4QwN3EJiigSkE7tHAPQQe0MADBGZoYAaBRzTwWI5g187yvgw3xTyv4yBzg+nKZ0GSpx+0mJfmyYsMDwzLf83K3UTHyKXZI2rvFKS54jIsU5kbi29uCF8Y6/T/Y2XZHyArhGM="
);

post_response = http_keepalive_send_recv(port:port, data:data);

debug_print("---Sent form post:\n",data);

debug_print("---Response:\n",post_response);

if (egrep(pattern:'unserialize()', string:post_response) )
{
debug_print("\nVulnerable PRADO found!\n");
security_hole(port);
}

if (egrep(pattern:'Exception: ViewState data is corrupted.', string:post_response) )
{
debug_print("\nPatched PRADO (probably 2.0.1+) found, not vulnerable\n");
}

}

_______________________________________________
Plugins-writers mailing list
Plugins-writers@private
http://mail.nessus.org/mailman/listinfo/plugins-writers